Technical analysis of the Locker virus on mobile phones

Security experts from Cheetah Mobile Security Research Lab published an interesting Technical analysis of the mobile variant of the Locker virus.

Blatant malicious behavior of the Locker virus

The Locker virus can easily be identified by its blatant malicious behavior. Here are the tell-tail signs:

1. Windows appear on the top of the home screen that prevents users from being able to use their phones.
2. The Activate device administrator page frequently displays in order to force users to grant the virus access to the system.
3. When the administrator is activated, the virus will change the lock screen password.
4. The virus will then keep the contact information of the users and use it to extort money.

Infections of the Locker virus

The worst-hit areas of the Locker virus in China are shown in Figure 1 below. There are about 3,000 users infected on daily basis.

Figures 2 and 3 show the Locker virus infections worldwide in the last 15 days. The overall number of infections diversified, most of them in Russia.

 

Don’t be tricked by the Locker virus

The Locker virus mainly disguises itself as system applications, like Android Update, Voice Assistant, and Adobe Flash Player. However, it can also appear as other applications, like adult video players, bank apps, and popular games, as shown in Figure 4.

How does the Locker virus work?
Here are the various methods the Locker virus uses to lock a mobile screen:

• TYPE_SYSTEM_ERROR

Added in API level 1

int TYPE_SYSTEM_ERROR

Window type: An internal system error windows appear on the top of the screen. In multi-user systems, it only appears on the primary user’s window.

Constant Value: 2010 (0x000007da)

The internal system error window is displayed in front of all other windows (Figure 5).

• FLAG_FULLSCREEN | FLAG_LAYOUT_IN_SCREEN

FLAG_FULLSCREEN

Added in API level 1

int FLAG_FULLSCREEN

Window flag: All screen decorations (such as the status bar) are hidden when an app window with a flag set is on the top layer. This allows the window to use the entire display. A fullscreen window will ignore a value of SOFT_INPUT_ADJUST_RESIZE for the window’s softInputMode field; the window will stay fullscreen and will not resize.

Constant Value: 1024 (0x00000400)

It will hide all other content on the screen and only allow the current window to use the fullscreen.

FLAG_LAYOUT_IN_SCREEN

Added in API level 1

int FLAG_LAYOUT_IN_SCREEN

Window flag: It will place the window within the entire screen, ignoring decorations around the border (such as the status bar). The window must correctly position its content to take the screen decoration into account. This flag is normally set (see Figure 6) by the WindowManager, as described in setFlags(int, int).

Constant Value: 256 (0x00000100)

It places the window on the whole screen.

• TYPE_PHONE

Added in API level 1

int TYPE_PHONE

Window type: Non-application windows provide user interaction with the phone (such as incoming calls). These windows are normally placed above all applications but behind the status bar. In multi-user systems, it shows on all users’ windows.

Constant Value: 2002 (0x000007d2) – as shown in Figure 7

This window will be covered when there’s an incoming phone. Otherwise, the window is always in the top position, under the status bar.

• TYPE_TOAST

Added in API level 1

int TYPE_TOAST

Window type: These are transient notifications. In multi-user systems, it only shows on the primary user’s window.

Constant Value: 2005 (0x000007d5)

This window does not belong to the floating window, but it has the floating window’s function and can be displayed on the top layer (Figure 8).

The virus keeps displaying the top layer activity. If the top layer is not activated, the virus will close and reopen it (Figure 9).   

When the virus obtains administrator privileges, it changes the screen lock password (Figure 10).  

Of all the methods mentioned above, the virus most frequently uses the flag TYPE_SYSTEM_ERROR to lock the screen. The second most common method is the circular display of the top layer activity. The proportion of these two methods are 16% and 84%, respectively, as shown in Figure 11.

Ways to protect your mobile phone

You can protect your mobile device from the Locked virus. Here’s how:

• Do not install or open apps from unknown sources.
• Do not grant administrator’s privilege to any unknown apps.
• Open USB debugging to connect your mobile device to a computer – or delete it through other methods when necessary.
• Another option is to flash to a third-party recovery service, such as TWRP.

Got Locked? We have solutions!

Here are some solutions to get rid of the Locked virus if your mobile device is infected：

• If USB debugging has been opened on the phone, you can conduct the following orders on a computer to delete the Locked virus:
  • Conduct ‘pm list packages -3’ to find the package name of the virus.
  • Conduct ‘pm uninstall pkg’ to delete the virus.

• Reboot the phone to enter recovery mode, and then make use of the file management function of a third-party recovery tool to delete the APK file in ‘/data/app/ pkg’.
• If you have activated the administrator of the device and opened USB debugging, and the phone is rooted, you can forcefully delete the virus and the files where the screen unlock password is stored. This is how the virus can be cleared:

1. su
2. rm –r /data/app/’pkg’ directory
3. rm /data/system/password.key
4. rm /data/system/gesture.key
5. reboot

[adrotate banner=”9″]

Written by Cheetah Mobile Security Research Lab

Edited by Pierluigi Paganini

(Security Affairs – Locker Virus, malware)